CD160: Equifax Breach

If you are an American adult, there is a good chance that criminals now have the ability to match your name and social security number, greatly increasing your risk of becoming a victim of identity fraud. In this episode, hear highlights from Congressional hearings about the Equifax breach that exposed the personal information of 145.5 million Americans as we explore the key role that credit reporting companies play in our society.

Please Support Congressional Dish

  • Click here to contribute using credit card, debit card, PayPal, or Bitcoin
  • Click here to support Congressional Dish for each episode via Patreon
  • Mail Contributions to:
    5753 Hwy 85 North #4576
    Crestview, FL 32536

Thank you for supporting truly independent media!


Bills

H.J.Res.111: Providing for congresional disapproval under chapter 8 of title 5, United States Code, of the rule…

H.R. 624: Social Security Number Fraud Prevention Act of 2017

H.R. 2622 (108th): Fair and Accurate Credit Transactions Act of 2003


Additional Reading


References


Sound Clip Sources

Senate Session: US senate approves disaster relief bill; Senate; October 24, 2017.
  • 3:57:20 Sen. Sherrod Brown (OH): Studies show that Wall Street and other big companies win 93 percent of the time in arbitration. Ninety-three percent of the time in arbitration the companies win. No wonder they are fighting like hell. No wonder they have lobbied this place like we have never seen. No wonder every Wall Street firm is down here begging their Senators to stand strong with Wall Street and pass this CRA, pass this resolution to undo the rule stopping forced arbitration.
  • 4:05:00 Sen. Mike Crapo (ID): The real issue is whether we will try to force the resolution of disputes in financial resolution into class action lawsuits. This is a question about whether we should force dispute resolution mechanisms into class actions. In fact, let me read the actual language of the rule that we are debating. It doesn’t say anything about forced arbitration clauses. In fact, the rule doesn’t stop arbitration clauses in contracts. It stops protections in arbitration clauses against class action litigation. Let’s read what the actual rule says: The CFPB rule prohibits a company from relying in any way on a predispute arbitration agreement with respect to any aspect of a class action that concerns any consumer financial product or service. In other words, the entire purpose of this rule is to promote class action litigation and to stop arbitration resolution when there is a dispute.
Hearing: Equifax Sen Banking Hearing; Senate Judiciary Committee, Subcommittee on Privacy, Technology, and the Law; October 4, 2017.

Witness:

  • Richard Smith: Former Chairman & CEO of Equifax
  • 27:20 Sen. Chuck Grassley (IA): Additionally, we must appreciate that fact that not all data breaches are the same. The information and risk of harm can greatly vary from one breach to another. For example, the past breaches at Target and Neiman Marcus, which this committee held a hearing to examine, involved financial information such as credit and debit cards. Of course, this is information that absolutely must be protected and secured. If it falls in the wrong hands, it can create a lot of problems for individuals. But in the Equifax data breach, I think that’s different. It’s important that consumers and policymakers recognize this distinction because the threat landscape has changed. The information hackers obtained or gained access to in the Equifax breach is the most sensitive personal information used by thieves to commit identity theft. So, we should let that sink in very definitely. A credit card number or bank account information can be changed with a phone call, but you can’t change your social security number and your date of birth. Anyone who’s ever applied for a loan, a credit card, a job, or opened a bank account knows you have to provide a social security number, date of birth to verify your identity. Thus, if someone has this information they can do the same and take over your identity. They can become you. And you won’t know it happened until it’s too late.
  • 38:30 Sen. Jeff Flake (AZ): In your testimony before the House yesterday, you stated that Equifax’s “traditional business model is with companies, not with 400 million consumers.” What portion of Equifax’s business is consumer facing? Richard Smith: Mr. Chairman, roughly 10% of our revenues around the world come from what we call B to C—business to consumer. Flake: That’s 10%. Then, what is the main source of Equifax’s revenue stream? Smith: The vast majority, the remaining, is largely doing analytics, insights, and providing solutions to banks, telecommunications companies, credit card issuers, insurance companies, and the like around the world. Flake: So, if only 10% of the revenue is consumer facing, what is the company’s incentive for keeping consumer data secure when it has no meaningful interaction or limited meaningful interaction with the accountability of consumers? Smith: We are clearly viewed as a trusted steward of that information, and losing that information violates the trust and confidence not only of the consumer but also of the companies we do business with as well.
  • 1:01:52 Sen. Patrick Leahy (VT): You spent a lot of money lobbying against as consumer-protection act that might require you to notify consumers immediately in such breaches. Are you still going to fight and still spend hundreds of thousands of dollars to stop that kind of a consumer-protection bill from going through? Richard Smith: Senator, I can tell you as a company we do have a government-relations team. In the scheme of things, it’s relatively small. We’re a company with expenses of well over $2 billion. I think our entire lobbying budget, which includes association fees, is a million dollars or less. Leahy: I could care less what your budget is for lobbying. The fact is you opposed legislation that might require notifying consumers, might actually give consumers the ability to respond when they’ve been hurt. Are you going to—is Equifax going to continue to fight consumers’ right to know? Smith: One, I’m unaware of that particular lobbying effort you’re referring to. I can talk to the company, but I’m unaware of that particular lobbying effort. Leahy: It was in your report that you have to file on your lobbying expenses.
  • 1:03:30 Sen. Mazie Hirono (HI): Do consumers have the right to find out what kind of information data brokers like Equifax has on them? Richard Smith: Do they have the right? Hirono: Yeah, yes. Can they call Equifax up and say, what do you have on me? Smith: Every consumer has the right to a free credit report from us, from the industry, and that credit report would detail all the information that the credit file would have on them. Hirono: But that’s just their credit, but you have a lot of other information on everybody besides just their credit information, do you not? Smith: Yes, we do. Hirono: So, if—and my understanding is that you get all this information free. You don’t pay anybody for the information you gather on 145 million people, which is more than one out of three people in our entire country. Smith: It’s largely free. There are exceptions, obviously, but this business, as you know, we’re 118 years old. We’re part of a federally regulated ecosystem that enables consumers to get access to credit. Hirono: Yes. Smith: So that data’s there, and it’s used at their consent, by the way. Regardless of the type of data we have—if it’s your employment data or your income data or your credit data—that data can only be accessed if you as a consumer give the consent for someone to access that. Hirono: How does one give consent— Smith: If you— Hirono: —if you’re selling the information that you have on them? Smith: So, if you as a consumer go to your bank and want to get a credit card, for example, when you sign a contract with the bank for the credit card, you’re allowing the bank the access to approve your credit, in this particular case, to give you the best rate and the best line.
  • 1:17:52 Sen. Richard Blumenthal (CT): Can you guarantee this committee that no consumer will ever be required to go to arbitration? Richard Smith: I cannot, sir. Blumenthal: Why? Smith: Well, one, I’m no longer with the company. I can talk to the management team. Blumenthal: Well, that’s what I mean by the designated fall guy. You know, you’re here, you can’t speak for the company. I’m interested in looking forward. How will consumers be protected? Will arbitration be required of them? Will they be compensated for the sense of security that has been lost? Will there be a compensation fund? Will there be insurance against that kind of loss? And I’m talking about a compensation fund that applies to them because of that loss of privacy. These kinds of questions, which you’re unable to answer because you’re no longer with the company, are as profound and important as any investigative effort looking back, and I recognize you’re here without the authority to make these decisions, but I think someone from the company has to make them.
Hearing: Equifax Senate Banking; Senate Banking Committee; October 4, 2017

Witness:

  • Richard Smith: Former Chairman & CEO of Equifax
  • 6:03 Sen. Sherrod Brown (OH): But security doesn’t generate short-term profits. Protecting consumers apparently isn’t important to your business model, so you gather more and more information, you peddled it to more and more buyers. For example, you bought a company called TALX so you could get access to detailed payroll information—the hours people worked, how much they were paid, even where they lived—7,000 businesses. You were hacked there, too, exposing the workers of one proud Ohio company—400,000 workers at Kroger—and an unknown number of people’s information to criminals who used it to commit tax fraud.
  • 26:35 Sen. Ben Sasse (NE): Your organization has committed to providing identity-monitoring services for the next year, but I’m curious about whether or not Equifax and your board have deliberated. Do you think your responsibility ends in one year, in two years, in five years, in 10 years; and if you think it ends at some point, have you tried to think about the goodwill and balance sheet impact of all this? How can you explain to an American whose identity might be stolen later because of this breach why your responsibility would ever end? Does it end? Richard Smith: I understand the question. And it extends well beyond a year, Senator. The first step we took was the five services we mentioned to the chairman a minute ago, which gets the consumer through one year. The ultimate control for security for a consumer is going to the lifetime lock. The ability for a consumer to lock down his or her file, determine who they want to have access for life— Sasse: But isn’t this—just to interrupt—isn’t that about people who might be breached in the future. I’m talking about the 145 million whose data has already been stolen. Does your responsibility end, or what do you think your legal obligations are to them? Smith: I think the combination of the five services we’re offering combined with the lifetime lock is a good combination of services. Sasse: I actually think the innovation of some of the stuff you proposed for the big three going forward is quite interesting, but why does any of that five really do much for the data that’s already been stolen? Smith: Senator, again, the combination of the five offerings today plus the lifetime lock we think is the best offering for the consumer. Sasse: Okay, I don’t think you’ve really answered the question about whether or not you’re exposure legally ends for the 145 million.
  • 29:13 Sen. Ben Sasse (NE): I want to open, at least, the allegations that Equifax executives engaged in insider trading relating to knowledge of this cyber breach. One of the clearest times in definitions of insider trading occurs when a business executive trades their company stock because of confidential knowledge that they have gained from their job. I’m sure you can imagine why Americans are very mad about the possibility that this occurred here. While insider trading is going to be discussed a lot more later in this hearing, I wish you could just very quickly give us a timeline of the first steps. When did Equifax first learn of the May 2017 breach, and when did you inform the FBI of that breach? Richard Smith: Thank you. I’ll answer as quickly as I can. We notified the FBI cybersecurity forensic team and outside global law firm on August 2. At that time, all we saw was suspicious activity. We had no indication, as I said in my oral testimony, of a breach at that time. You might recall that the three individuals sold stock on August 1 and 2. We did not have an indication of a breach until mid- to late August. Sasse: So you’re saying that those three executives—Mr. Chairman, I’ll stop—you’re saying those three executives had no knowledge of a breach on August 1 or 2. Smith: To the best of my knowledge, they had no knowledge and they also followed our protocol to have their stock sales cleared through the proper channels, which is our general counsel.
  • 32:00 Sen. Jon Tester (MT): Let’s fast forward to the 29th of July, and you learned for the first time that your company has been hacked—don’t know how big the hack is, but it’s been hacked—and it was preceded by this notification from US-CERT. Three days after, as Senator Sasse pointed out, you had three high-level execs sell $2 million in stock. That very same day, you notified the FBI of the breach. Can you tell me if your general counsel was held accountable for allowing this stock sale to go forward? Or did he not know about the breach. Richard Smith: Senator, clarification: On the 29th and 30th, a security person saw suspicious activity, shut the portal down on the 30th. There was no indication of a breach at that time. The internal forensics began on the 30th. On the 2nd we brought in outside cyber experts—forensic auditors, law firm, and the FBI. The trades took place on the 1st and the 2nd. At that time, the general counsel, who clears the stock sales, had no indication—or to the company—of a security breach. Tester: Well, I’ve got to tell you something, and this is just a fact, and it may have been done with the best of intentions and no intent for insider trading, but this really stinks. I mean, it really smells really bad. And I guess smelling bad isn’t a crime. But the bottom line here is that you had a hack that you found out about on the 29th. You didn’t know how severe it was. You told the FBI about the breach. On that same day, high-level execs sell $2 million worth of stock, and then you do some investigation, evidently, and you find out at the end of the month that—or, at least, by the first part of September—that this is a huge hack, and you finally notify the public. And as was pointed out already in this committee, these are people that didn’t ask for your service. You’ve gathered it. And now it’s totally breached. And then, as Senator Sasse said, what’s the length of exposure here, and you said, we’ll be doing these five things. That’s proactive, and I think we can all applaud those efforts. But I’ve got to tell you, that doesn’t do a damn thing for the people who have had their identity stolen and their credit rating stolen. So let me ask you this: So their credit rate goes up a little bit, and they go buy a house for 250,000 bucks on a 30-year note, and it costs them 25 grand. Are you liable for that? Smith: Senator, I understand your anger and your frustration. We’ve apologized for the breach, we’ve done everything in our power to make it right for the consumer, and we think these services we’re offering is a right first step.
  • 53:57 Sen. Elizabeth Warren (MA): In August, just a couple of weeks before you disclosed this massive hack, you said—and I want to quote you here—“Fraud is a huge opportunity for us. It is a massive, growing business for us.” Now, Mr. Smith, now that information for about 145 million Americans has been stolen, is fraud more likely now than before that hack? Richard Smith: Yes, Senator, it is. Warren: Yeah. So the breach of your system has actually created more business opportunities for you. For example, millions of people have signed up for the credit-monitoring service that you announced after the breach—Equifax is offering one year of free credit monitoring—but consumers who want to continue that protection after the first year will have to pay for it, won’t they, Mr. Smith. Smith: Senator, the best thing a consumer could do is get the lifetime lock. Warren: I’m asking you the question. You’re offering free credit monitoring, which you say is worth something, and you’re offering it for only one year. If consumers want it for more than one year, they have to pay for it. Is that right? Smith: Yes, Senator. But the most, the best thing a consumer can do is the lock product. It’s better than monitoring. Warren: Okay, but, they’re going to have to pay after one year if they want your credit monitoring, and that could be a lot of money. So far, seven and a half million people have signed up for free credit monitoring through Equifax since the breach. If just one million of them buy just one more year of monitoring through Equifax at the standard rate of $17 a month, that’s more than $200 million in revenue for Equifax because of this breach. But there’s more. LifeLock, another company that sells credit monitoring, has now seen a 10-fold increase in enrollment since Equifax announced the breach. According to filings with the SEC, LifeLock purchases credit monitoring services from Equifax; and that means someone buys credit monitoring through LifeLock, LifeLock turns around and passes some of that revenue directly along to Equifax. Is that right, Mr. Smith? Smith: That is correct. Warren: That’s correct. Okay. The second Equifax announced this massive data breach, Equifax has been making money off consumers who purchased their credit monitoring through LifeLock. Now, Equifax also sells products to businesses and government agencies to help them stop fraud by potential identity thieves. Is that right, Mr. Smith? Smith: Yes, Senator. There’s one clarification. You’d mentioned the LifeLock relationship— Warren: Uh-huh. Smith: —which was accurate. At the same time, the majority of that revenue we normally generate is direct to consumer. We’ve shut that down. We’re no longer selling consumer product directly. Warren: I’m sorry. My question is, every time somebody buys through LifeLock—and they’ve seen a 10-fold increase since the breach—you make a little more money. We actually called the LifeLock people to find this out. So, I asked you the question, but I already know the answer. It’s true. You’re making money off this. So, let me go to the third one. Equifax sells products to businesses and government agencies to help them stop fraud by potential identity thieves, right? Smith: To the government, yes. Not to the business. Warren: You don’t sell to businesses? Just small businesses? Smith: We sell business, but it’s not to prevent fraud. That’s not the primary focus or business. Warren: But to stop identity theft, you don’t have any products that you’re touting for identity-theft purposes? Smith: Senator, all I’m saying is the vast majority we do for businesses is not fraud. Warren: Look, you’ve got three different ways that Equifax is making money, millions of dollars, off its own screw up, and meanwhile, the potential costs to Equifax are shockingly low. Consumers can sue, but it turns out that the average recovery for data breaches is less than $2 per consumer, and Equifax has insurance that could cover some big chunk of any potential payment to consumers. So, I want to look at the big picture here. From 2013 until today, Equifax has disclosed at least four separate hacks in which it compromised sensitive personal data. In those four years, has Equifax’s profit gone up? Mr. Smith? Smith: Yes, Senator. Warren: Yes, it has gone up, right? In fact, it’s gone up by more than 80% over that time. You know, here’s how I see this, Mr. Chairman. Equifax did a terrible job of protecting our data because they didn’t have a reason to care to protect our data. The incentives in this industry are completely out of whack. Because of this breach, consumers will spend the rest of their lives worrying about identity theft. Small banks and credit unions will have to pay to issue new credit cards, businesses will lose money to thieves, but Equifax will be just fine. Heck, it could actually come out ahead. Consumers are trapped, there’s no competition, nowhere else for them to go. If we think Equifax does a lousy job protecting our data, we can’t take our data to someone else. Equifax and this whole industry should be completely transformed. Consumers—not you—consumers should decide who gets access to their own data. And when companies like Equifax mess up, senior executives like you should be held personally accountable, and the company should pay mandatory and severe financial penalties for every consumer record that’s stolen. Mr. Chairman, we’ve got to change this industry before more people are injured.
  • 1:22:00 Sen. John Kennedy (LA): It just seems incongruent to me that you have my information—you don’t pay me for it; you don’t have my permission — you make money collecting that information, selling it to businesses — and I think you do a service there; don’t misunderstand me — and you also come to me—you can’t run your business without me; my data is the product that you sell — and you also offer me a premium service to make sure that the data you’re collecting about me is accurate. I mean, I don’t pay extra in a restaurant to prevent the waiter from spitting in my food. You understand my concern? Richard Smith: I understand your point, I believe, but another way to think about that is the monitoring part that you’re referring to, Senator? Kennedy: Uh-huh. Smith: In the future, it’s far less required if you as a consumer have the ability to freeze, or lock as we call it, and unlock your file. And that is free for life. Kennedy: But it’s not just the freeze part. What if you had bad information about me? Have you ever—has an agency ever had bad information about you, and you had to go through the process of correcting it? Smith: Yes, Senator. There’s a process that if— Kennedy: It’s a pain in the elbow, isn’t it. I mean, the burden’s kind of on – you have my data, which you haven’t paid me for. You’re earning a good living, which I don’t deny you. I believe in free enterprise. I think this is a very clever business model you’ve come up with. But you’re earning your money by selling my data, which you get from me and don’t pay me for, to other people, but if the data is wrong that you have about me, I would think you would want to make it as easy as possible to correct it, not as hard as possible. Smith: I understand your point, and it’s an important point for the entire industry to make the process as consumer-friendly as possible if there’s an error on your utility bill, if there’s an error on your bank bill, your credit card statement, to work with consumers to make— Kennedy: Well, can you commit to me today that Equifax is going to set up a system where a consumer who believes that Equifax has bad information about him can pick up the phone and call a live human being with a beating heart and say, here’s this information you have about me that you’re selling to other people—you’re ruining my credit, and it’s not true, and I want to get it corrected. How are you going to correct it, what information do you need from me to prove that it’s incorrect, and when are you going to get back to me, and give me your name and phone number so I can call you. Smith: Senator, I understand your point. There is a process that exists today. More than half— Kennedy: Yeah, and it’s difficult, Mr. Smith. Smith: Be more than happy to get the company to reach out to your staff, explain what we do, and what we’re doing to improve that process. I hear you.
Hearing: House Equifax CEO Hearing; House Energy and Commerce Subcommittee on Digital Commerce and Consumer Protection; October 3, 2017

Witness:

  • Richard Smith: Former Chairman & CEO at Equifax
  • 5:13 Rep. Jan Schakowsky (IL): The Equifax data breach was massive in scale: 145.5 million American victims as of yesterday. I would call it shocking, but is it really? We have these under-regulated, private, for-profit credit reporting agencies collecting detailed personal and financial information about American consumers. It’s a treasure trove for hackers. Consumers don’t have a choice over what information Equifax or, for example, TransUnion or Experian, have collected, stored, and sold. If you want to participate in today’s modern economy; if you want to get a credit card, rent an apartment, or even get a job often, then a credit reporting agency may hold the key. Because consumers don’t have a choice, we can’t trust credit reporting agencies to self-regulate. It’s not like when you get sick at a restaurant and decide not to go there anymore. Equifax collects your data, whether you want to have it collected or not. If it has incorrect information about you, it’s really an arduous process—I’ve tried it—to get it corrected. When it comes to information security, you are at the mercy of whatever Equifax decides is right; and once your information is compromised, the damage is ongoing. Given vast quantities of information and lack of accountability, a major breach at Equifax, I would say, would be predictable if not inevitable. I should really say breaches. This is the third major breach Equifax has had in the past two years. From media reports and the subcommittee’s meeting with Equifax officials after the breach, it’s clear to me that the company lacked appropriate policies and practices around data security. This particular breach occurred when hackers exploited a known vulnerability that was not yet patched. It was months later before Equifax first discovered the breach, and it was another several weeks before Equifax shared news with consumers, this committee, the Federal Trade Commission, and the Consumer Financial Protection Bureau. Senior officials at the company are saying they weren’t immediately aware that the breach occurred, and yet, by the way, there were executives who sold over a million dollars in stock just days after the breach was discovered but, yet, not reported. And for a lot of Americans, that just doesn’t pass the smell test.
  • 22:45 Richard Smith: We know now that this criminal attack was made possible because of combination of human error and technological error. The human error involved the failure to apply a software patch to our dispute portal in March of 2017. Technological error involved a scanner which failed to detect that vulnerability on that particular portal. Both errors have since been addressed. On July 29 and July 30, suspicious activity was detected, and a team followed our security-incident protocol. The team immediately shut down the portal and began our internal security investigation. On August 2, we hired top cybersecurity, forensic, and legal experts, and at that time, we notified the FBI. At that time, to be clear, we did not know the nature or the scope of the incident. It was not until late August that we concluded that we had experienced a major breach.
  • 47:53 Rep. Frank Pallone (NJ): All right, during your tenure at Equifax, you expanded the company’s business into packaging and selling other people’s data, and in that August 17 speech, you explained that having free data with a gross margin of profit of about 90% is—and I quote—“a pretty unique model.” And I get that this unique model is a good deal for Equifax, but can you explain how it’s a good deal for consumers? Richard Smith: Thank you, Congressman. I think I understand the question. Our industry has been around for a number of years, as you know. In fact, Equifax is a 118-year-old company. We’re part of a federally regulated ecosystem that enables consumers to get access to credit when they want access to credit and, hopefully, at the best rates available to them at that time. So we’re very vital to the flow of economy, not just in the U.S. but around the world. Pallone: All right, I want to turn to what Equifax is offering consumers in the wake of this breach, specifically the free credit-lock service that is supposed to be introduced next year. We’ve been told that this free credit-lock service could require consumers to consent to Equifax sharing or selling the information it collects from the service to third parties with whom the individual already has a business relationship for marketing or other purposes. Is that true? Smith: This product will be a web-enabled, mobile-enabled application that will allow a consumer at a time he or she, if they decide they want access to credit, can simply toggle on, toggle off that application to give the bank, credit card issuer, auto lender, access to their credit file to approve their loan. Pallone: Well, by agreeing to use the Equifax’s lock service, will consumers also be opting in to any additional marketing arrangements, either via Equifax or any of its partners? Smith: Congressman, we’re trying to change the paradigm. What I mean by that is, this will be in an environment viewed as a service, a utility, not a product. But we know cross-selling, upselling, or any products available to the consumer, when they go to get and sign up for the lock product, it’s a service to them, and that’s the only product—this service they’ll be able to get. Pallone: Will Equifax give consumers an easy and free method to choose not to share their data in this way, even if the consumer already has a business relationship with the third party? Smith: Yeah, Congressman, I’d envision as this evolves over time, the consumer will have the ability to invite into their world who they want to have access and who they do not. It’ll be their choice, their power, not ours, to make that decision. Pallone: Now, last week, the interim CEO announced that by January 31 of 2018 Equifax would make locking and unlocking of a person’s Equifax credit report free forever. A credit-report lock is already included in TrustedID Premier and other services like credit monitoring and identity-theft insurance. Will that still end after one year? Smith: Congressman, a couple of differences. Number one, the product we offer today for consumers protects the consumer at the same-level protection they’d get January 31. The difference is, today is a browser-enabled product, or service; the 31 of January it’ll be an application, much simpler and easier for the consumer to use. The protection is largely the same. So they get this free service when they sign up for one year. At the end of the one year, effective January 31 of 2018, it goes into the new lock product. Pallone: I guess the difference, other than not expiring, between the credit-report lock that is part of TrustedID Premier and the credit-locking tool that will be available in January, why not just extend the freeze program? Smith: There’s a difference between the freeze product, which came to pass with FACTA back in 2003, passed into law in 2004, that is now governed by state laws in all states, and it’s a cumbersome process for a consumer. In many cases, some states require you to mail in your request for a freeze and that we must mail you a PIN, so your ability to get access to credit when you want credit is encumbered. A consumer could go to a car dealer or to a bank to get a credit card, forget his or her PIN on a freeze product, have to go back home, look for the PIN, mail the PIN in, so it’s a cumbersome process. The lock product we’re offering today is a big step forward; lock product for the 31 of January is an even further step forward.
  • 53:00 Rep. Joe Barton (TX): Mr. Smith, what’s the market value of Equifax? What’s your company worth, or your former— Richard Smith: Congressman, last time I checked it’s somewhere close to 13 billion. Barton: Thirteen billion. I’m told by my staff that this latest data breach was about 143 million people. Is that right? Smith: We were informed yesterday from the company that is typical in a forensic audit, there was some slight movement and the numbers adjusted. Press release came out from the company last night. It’s 145.5. Barton: A hundred—well, okay, I appreciate your accuracy there. But under current law, you’re basically required to alert each of those that their account has been hacked, but there’s really no penalty unless there is some sort of a lawsuit filed and the Federal Trade Commission or state attorney general files a class-action lawsuit against your company. So you really only notify—you’re just required to notify everybody and say so sorry, so sad. I understand that your company has to stay in business, has to make money, but it would seem to me that you might pay a little bit more attention to security if you had to pay everybody whose account got hacked a couple thousand bucks or something. What would the industry reaction be to that if we passed a law that did that? Smith: Congressman, I understand your question. I think the path that we were on when I was there and the company’s continued is the right path, and that’s a path, a line that the consumers to control the power of who and when accesses a credit file going forward, taking the— Barton: Well, a consumer can’t control the security of your system. Smith: That is true, sir, but they can control— Barton: And your security people knew there was a problem, and according to staff briefings that I’ve been a part of, they didn’t act in a very expeditious fashion until the system had already been hacked. And, I mean, you’re to be commended for being here. I don’t think we subpoenaed you. I think you appeared voluntarily, which shows a commendable amount of integrity on your part, but I’m tired of almost every month there’s another security breach, and it’s okay, we have to alert you. I checked my file to see if I was one of the ones that got breached, and apparently I wasn’t. I don’t know how I escaped, but I didn’t get breached, but my staff person did, and we looked at her reports last night, and the amount of information that’s collected is way beyond what you need to determine if she (audio glitch) for a consumer loan. Basically, her entire adult history, going back 10 years, everywhere she’s lived, her name, her date of birth, her social security number, her phone numbers, her addresses, her credit card, student loans, security-clearance applications for federal employment, car insurance, even employment history of jobs that she worked when she was in high school. That’s not needed to determine whether she’s worthy of getting a five-thousand-dollar credit card loan or something. And now it’s all out in the netherworld of whoever hacked it. I can’t speak for anybody but myself, but I think it’s time at the federal level to put some teeth into this and some sort of a per-account payment—and, again, I don’t want to drive credit bureaus out of business and all of that, but we could have this hearing every year from now on if we don’t do something to change the current system.
  • 58:42 Rep. Ben Lujan (NM): Will Equifax be willing to pay for this freeze at Experian and TransUnion for consumers whose information was stolen? Richard Smith: You’re referring to the freeze or the lock? Lujan: You said they’re the same, so… Smith: Yeah, right now we offer a free lock product, as you know, for one year, and then a free lifetime lock product for life, starting January 31, 2018. Smith: And that also extends to Experian and TransUnion? Smith: No, sir, it does not. Lujan: Would Equif—let me repeat the question. Will Equifax be willing to pay for that freeze, for that lock, at Experian and TransUnion for consumers whose information was stolen by it—through Equifax? Smith: Congressman, the company’s come out with what they feel is a comprehensive five different services today and a lifetime lock. I would encourage, to be clear, I would encourage TransUnion and Experian to do the same. It’s time we change the paradigm, give the power back to the consumer to control who accesses his or her credit data. It’s the right thing to do. Lujan: Okay, I’m down to limited time, Mr. Smith. I apologize. I’ll take that as a no that Equifax will not pay for Experian and TransUnion consumers.
  • 1:26:09 Rep. Debbie Dingell (MI): Why do consumers have to pay you to access their credit report? Why should that data not be free? Richard Smith: Congresswoman, the consumer has the ability to access the credit report for free from each of the three credit reporting agencies once a year, and you combine that with the ability to lock your credit file for life for free. Again, it’s a step forward.
  • 2:00:40 Rep. Larry Bucshon (IN): Is it possible people who never signed up or used Equifax directly could have been impacted by the breach? Richard Smith: Yes, Congressman. Bucshon: Okay, so how does Equifax get the information on people who’ve never directly associated with Equifax at all? I mean, I’m not familiar with that. Smith: Yeah, we get it from banks, telecommunications companies, credit card issuers, so on and so forth. Bucshon: So just like we go to apply for a loan, they send you the information, because they want to get a data—they want to get the information on my credit rating, for example. Smith Correct. As I define it, we are part of the federally regulated ecosystem— Bucshon: Yeah. Smith: —that enables banks to loan money to consumers. Bucshon: Right. So, it’s up to the banks, at that point, to notify the individual which credit agencies they’re utilizing to assess their credit risk? Or is it up to the credit agencies? Smith: Traditionally, the contributors of data—in that case, Congressman, the banks would give their data to all three. That’s the benefit of the system is you get a holistic view of an individual’s credit risk. Bucshon: Yeah. My point is, I guess, because a lot of people I talk to back in Indiana, southern Indiana, have no idea who Equifax is, right? And many of those people have applied for home loans and other things. And a matter of fact, probably at some point you have their information, but they may or may not have been notified who sent the information to them—probably the bank or other agency—and that’s something I think that is also maybe an issue, that people don’t understand or have not been told who is being used to assess their credit risk and, hence, something like this happens, they have no idea whether or not their information has been compromised. Smith: I understand your point. Bucshon: Yeah.
  • 2:09:20 Rep. Gene Green (TX): Mr. Smith, Equifax customers or businesses who purchase data and credit reports on consumers, the American public is essentially Equifax’s product. How many times per year on average does Equifax sell access to a given individual’s credit file to a potential creditor, and how much do they make every time they sell it? Richard Smith: If I understand the question, Congressman, we take the data that is given to us by the credit ecosystem of the U.S., add analytics to it, and then when a consumer wants credit—again, through a credit card, home loan, a car—the bank then comes to us for that data and for that analytics, and we charge them for that. **Green: Okay. Well, the question was, how many times does Equifax receive payment for that individual credit file? Every time—if my local car dealer contacts Equifax, and so they pay a fee to Equifax for that information. Smith: Yes, Congressman. If you as an individual want to go to that car dealership and get a loan for a car, they come to us or to competitors, and when they take your data, access your data, we do get paid for it, correct.
  • 2:47:40 Richard Smith: If there’s one thing I’d love to see this country think about is the concept of a social security number in this environment being private and secure, I think it’s time as a country to think beyond that. What is a better way to identify consumers in our country in a very secure way, and I think that way is something different than an SSN, a date of birth, and a name.
  • 2:56:28 Rep. Jan Schakowsky (IL): What if I want to opt out of Equifax? I don’t want you to have my information anymore. I want to be in control of my information. I never opted in, I never said it was okay to have all my information, and now I want out. I want to lock out Equifax. Can I do that? Richard Smith: Congresswoman, that requires a much broader discussion around the rules of credit reporting agencies because that data, as you know today, doesn’t come from the consumer; it comes from the furnishers, and the furnishers provide that data to the entire industry. Schakowsky: No, I understand that. And that’s exactly where we need to go, to a much larger discussion, because most Americans really don’t know how much information, what it is that you have it, and they never said okay.
Video: Circle Jerk, YouTube, December 3, 2015
Hearing: Credit Privacy Hearing; Senate Commerce, Science, and Transportation Committee; December 18, 2013

Witnesses:

  • Tony Hadley: Senior VP of Government Affairs and Public Policy at Experian
  • 47:13 Sen. Jay Rockefeller (retired) (WV): So, Mr. Hadley, what does your company—or why does it single out and sell lists of economically vulnerable groups like immigrants, widows, and military personnel?
  • 48:03 Tony Hadley: Thank you, Senator. We would be very concerned if lenders were using that information for scamming purposes, too. And we have processes and procedures in place to ensure that nobody gains access to that score for that purpose. Now— Sen. Jay Rockefeller: And how does that work? Hadley: We have an onboarding system by which we take on a client that gets our information to know who they are, and we also have a mail-piece review process to know what they’re going to offer the consumer. And if it’s anything that looks discriminatory or predatory, we will not provide our list to them. Now— Rockfeller: And this is your self-regulation. Hadley: This is our self-regulation under DMA standards. So if we were to violate that, we’d be in violation of our self-regulatory standards as well as our contractual standards with our clients. Now, what’s important here is that there are somewhere between 45 and 50 million Americans who are outside the mainstream of the credit markets in the United States. These are underbanked, underserved consumers who financial institutions cannot reach through credit scoring and credit report. They don’t have financial identities or a big enough or even the presence of a credit file in order to bring them into the mainstream of financial markets. But that doesn’t mean that they don’t need access to financial services. So banks use this data to try to reach out to consumers who they can help to empower them, not to scam them. We don’t want to do business with financial institutions who are trying to scam people, only to empower them. And this is their best way to find those individuals who are outside the mainstream—immigrants; new to credit, like recent college graduates, exactly what we’re talking about here—to give them an offer, an invitation to apply, so that then they can make an eligibility determination regarding that application under the Fair Credit Reporting Act. But this is marketing literature, not eligibility determination. Rockefeller: Who— Hadley: Can I add to that for you? Rockefeller: Not entirely. Can you tell me which are the companies that buy this ChoiceScore product from you? We’ve asked you that. Hadley: Yeah. They would be banks and financial institutions and members of the financial community. Rockefeller: That’s what’s called a general answer. Hadley: Yeah. I can’t tell you who our clients are. That’s a proprietary list of ours. It’s like our secret ingredient. The ones who would want that most are our competitors. And our counsel has informed me that they don’t believe that our ability to give that to you can be shielded from disclosure through the rules of the Senate. If we thought they could be—for example, under a law enforcement action, where it could be shielded and protected from FOIA or other disclosures, we could do that, but not under the situation—under the rules of the Senate. And we’re very sorry about that, but we just simply can’t do that. Our counsel won’t let us.
  • 1:25:49 Sen. Claire McCaskill (MO): The case, Mr. Hadley, of Experian and Superget. You purchased the company Court Ventures in 2012, in the spring of 2012. For more than a year after the time you purchased this company that had all this data, you were taking monthly wire transfers from Singapore, and your company did nothing. And as it turns out, those wire transfers were coming from a man in Vietnam who specialized in identity theft and was marketing the information that you owned to criminals to ruin people’s lives. So my first question to you is, you were quoted as saying, “We would know who was buying this.” You were getting wire transfers from Singapore on a monthly basis, and no one bothered to check to see who that was? Hadley: Now, I want to be clear that this was not Experian marketing data; this was Experian authentication data. So it’s under a different company, a different use. So that’s just—I want you to know that it’s not marketing data. McCaskill: I don’t understand the distinction. I think it’s a distinction— Jay Rockefeller: Nor do I. McCaskill: —without a difference. I believe it was data that you owned, Experian owned. You’d purchased this data from Court Scan, and they had, in fact— Hadley: No. Let me clarify. McCaskill: —sold it to someone else. Hadley: Yeah, let me clarify that for you, because we’ve provided a full response to that question to the Committee, and it’s part of the eight submissions that we’ve given. And I do have to say that it’s an unfortunate situation, and the incident is still under investigation by law enforcement agencies. So I’m really extremely limited in what I can say publicly about it, but I do want to say this. The suspect in the case obtained data controlled by a third party—that was U.S. Info Search. That was not an Experian company—through a company we bought, Court Ventures— McCaskill: Okay. Let— Hadley: —prior to the time that we acquired that company. And to be clear, no Experian data was ever accessed in that deal. McCaskill: Well, I understand what you’re saying. Here’s what happened: You had U.S. Info Search— Hadley: No, we did not own— McCaskill: No, no; I’m— U.S. Info Search existed, and Court Ventures existed. Hadley: And they had a partnership. McCaskill: —they decided, for commercial reasons, to make more money, to combine their information. Hadley: To resell their information. McCaskill: And so they had a sharing agreement, those two companies, correct? Hadley: Right, right. McCaskill: Okay. So these two companies had a sharing agreement. Then you bought one of those companies. Hadley: Court Ventures. McCaskill: Correct. So now you owned it. Now you stood in their place. Are you a lawyer? Hadley: I’m not a lawyer, but I understand we stood in their place, right. McCaskill: Are there any lawyers on the panel? Okay; she’ll back me up. You stand in their place when you buy this. So now you’re there. Now, you said in your earlier testimony, we would know who was buying this. So you now are part of their transactions. Hadley: During— McCaskill: And you were receiving the benefit of these monthly wire. Hadley: So, during the due-diligence process, we didn’t have total access to all the information we needed in order to completely vet that. And by the time we learned about the malfeasance, I think nine months had expired. The Secret Service came to us, told us of the incident, and we immediately began cooperating with the Secret Service to bring this person to justice. McCaskill: Okay. Hadley: And we’re continuing to cooperate with law enforcement in that realm. This was—we were a victim and scammed by this person. McCaskill: Well, I would say the people who had all their identity stolen were the victims. Hadley: And we know who they are, and we’re going to make sure that they’re protected. There’s been no allegation that any harm has come, thankfully, in this scam. McCaskill: Okay. Hadley: And we’ve closed that down, and— Rockefeller: Let Senator McCaskill continue. Hadley: —and we’ve modified our processes to ensure that [unclear]— Rockefeller: Let Senator McCaskill continue. McCaskill: Okay. So let’s talk about that process. This person got—this man who they lured to Guam to arrest and who is now facing criminal charges in New Hampshire, they posed as an American-based private investigator. What is your vetting process when people want to buy your stuff? Hadley: That would’ve been Court Ventures who would have vetted that prior to our acquisition. McCaskill: Okay, but I’m talking about now, you. What is your vetting process? Hadley: Right now, before we would allow acc—first, let me say that that person would have not gained access to Experian or this data if they had gone through our vetting processes prior to the acquisition. McCaskill: And what would’ve stopped him? Hadley: We would’ve known who that company is. We would’ve had a physical onsite inspection of that company. We would’ve known who that business is and what that business’s record is. We would’ve known exactly why they wanted that data and for what purposes. And that would have been enshrined in our contract. And we would’ve known the kinds of systems they have in place to protect the data that they gained. Those are all incumbent upon us under the Gramm-Leach- Bliley Act and the FCRA. McCaskill: Well, listen, I understand that this was not a crime that began under your watch. Hadley: Thank you. McCaskill: But you did buy the company, and you did keep getting the wire transfers from Singapore, and the only reason you ever questioned them is because the Secret Service knocked on your door. I don’t know how long those wire transfers from Singapore would’ve gone on until you caught them. I don’t have confidence that it would’ve stopped at all. So I guess what my point is here, I maybe do not feel as strongly as others on this panel that behavioral marketing is evil. I believe behavioral marketing is a reality, and, frankly, the only reason we have everything we have on the Internet for free is because of behavioral marketing. So I don’t see behavioral marketing as an evil into itself. What I do see is some desperate need for Congress to look at how consumers can get this information, what kind of transparency is there, and whether or not companies that allow monthly wire transfers into their coffers from Singapore from a criminal who is trying to rip off identity theft, whether or not they should be held liable for no due diligence on checking those wire transfers from Singapore until the Secret Service knocked on their door. And that’s what I think we need to be looking at. And I don’t think there’s enough—I mean, I know that some of my friends on the other side of the aisle, you say trial lawyers, and they break out in a sweat. But the truth is that if there was some liability in this area, it would be amazing how fast people could clean up their act. And, unfortunately, in too many instances there’s not clear liability because we haven’t set the rules of the road.
Video: FreeCreditReport.com all 9 commercials, YouTube, October 3, 2009.
Hearing: Credit Scoring System; House Financial Services Subcommittee on Oversight and Investigations; July 30, 2008.

Witnesses:

  • Thomas Quinn: Vice President of Global Scoring at Fair Isaac Business Consulting
  • Stan Oliai: Experian Decision Analytics Consulting Senior Vice President
  • Chet Wiermanski: Transunion Credit Services Analytical Systems Vice President
  • Richard Goerss: Equifax Credit Services Chief Privacy Officer
  • Evan Hendricks: Privacy Times Publisher and Editor
  • 26:42 Thomas Quinn: A FICO score is a three-digit number ranging from 300 to 850, where the higher the score, the lower the risk. Lenders use the score, along with other information, to decision the request for credit, set the credit line and pricing terms. Creating the FICO score model requires two samples of credit reports, two years apart, for the same randomly selected depersonalized set of consumers provided by one of the national credit reporting agencies. Those credit factors found to be most powerful and consistent in predicting credit performance, individually and in combination, form the basis for the complex mathematical algorithm which becomes the score. The traditional FICO score model evaluates five broad types of data elements from the consumer credit report. These include, and listed in order of importance, previous credit payment history, about 35 percent contribution; level of outstanding debts, about 30 percent contribution; length of credit history, 15 percent contribution; pursuit of new credit, 10 percent contribution; and mix of type of credit, about 10 percent contribution. FICO scores were first introduced to the marketplace in 1989 and have been consistently redeveloped and updated throughout the years to ensure their predictive strength.
  • 34:00 Stan Oliai: A credit score is a numerical expression of risk of default, based on a credit report. The score is produced by a mathematical formula created from a statistical analysis of a large representative sample of credit reports. The formula is typically called a “model.” The credit score is calculated by the model, using only information in the credit report. These reports include the following types of information: The credit account history—such as was the account paid, was it paid on time, how long has the account been open, and what’s the outstanding balance; the type of account—is it a mortgage, is it an installment, is it revolving; the public record information—liens, judgments, bankruptcies, for example; inquiries in the credit file that represent applications for new credit and other consumer-initiated transactions. A credit report does not include information such as income or assets. It also does not include demographic information such as race or ethnicity. Demographic factors are not used in the calculation of a credit score.
  • 35:05 Stan Oliai: Regulatory oversight of credit scores is accomplished through routine bank examinations for compliance, with a number of laws that govern fair lending, such as the Equal Credit Opportunity Act. This makes sense because the lender chooses the scoring model to assist in this proprietary underwriting process. The lender is ultimately responsible for demonstrating to regulators that the scoring model it has chosen complies with the lending laws.
  • 46:20 Chet Wiermanski: There is strong evidence to suggest that consumers would benefit from the increased reporting of nontraditional credit information. For example, consumers with thin credit files and, in particular, minorities, immigrants, young and old, all experience a net benefit from full-file reporting by energy companies and telecommunication providers. Consumers with impaired credit histories also obtain a net benefit from full-file reporting by these companies. We are presently engaged in a follow-up study to learn more about the impediments to full-file reporting faced by the utilities and telecommunication industry. It may be very well that Congress may have a role to play in removing roadblocks to encourage voluntary full-file reporting.
  • 2:01:30 Richard Goerss: There are a lot of thing—different activities—that a consumer can do to protect themselves if they feel they are victims or might be victims of identity theft. Certainly, one of the things that they can do is to place a fraud alert on their credit file. They can receive a free disclosure of their credit file to see if there has been any inappropriate activity or inquiry to their credit file. They can provide an identity-theft report and identify the account information that they feel, or that they say, was opened fraudulently. And under the requirements of the FACT Act, the consumer reporting agencies are going to delete that information, and the consumer reporting agency that receives that identity theft with the information-removal request is going to refer it to the other two consumer reporting agencies, who are also going to remove that information.
  • 2:24:30 Evan Hendricks: Right now, you take it for granted that we know about credit scores, but you have to remember it was, like, 12 years ago, in the mid-1990’s, when credit scores started being widely used. They were a complete secret; the industry did not even acknowledge their existence. Then, when they found out about it and reporters like Michelle Singletary of the Washington Post started reporting on it, then they would not disclose the score to you. So, California led the way with a state law, and now we have the FACT Act, which means that you can get one—you can buy a credit score for a fair and reasonable price.
  • 2:54:55 Rep. Jackie Speier (CA): We call these credit reporting agencies or credit bureaus, which gives the average consumer the impression that they are dealing with some federal entity, when in fact they are not—we heard this afternoon they’re private or publicly traded companies—and yet this information is so critical, and to Mr. Barrett’s comments, who suggested that the consumer needs to be educated, needs to know what goes into their FICO score and what they can do to improve their FICO score, we can’t give those kinds of answers, because, for all intents and purposes, it is a proprietary formula. It’s sort of like secret sauce; we don’t know what it is. Now, there’s something wrong when the government can’t articulate what should be considered in a FICO score.

Cover Art

Design by Only Child Imaginations

alt text

Music Presented in this Episode

Leave a Reply